A closer look at hackers sophisticated attack on Target

That is one way to think about the spectacular Target Corp. security breach that compromised up to 40 million customer credit and debit cards in late November and early December.

Security experts said the data theft was, in all likelihood, a meticulously planned and intricately coordinated attack to penetrate the retailer’s defenses and make off with a spectacular booty — not unlike the complex con jobs in the famed Hollywood movie and its two sequels.

The real-life heist would have looked kind of boring on the big screen, though, since it was likely just a bunch of geeks on computers, hacking through Target’s electronic defenses — potentially with covert help from within.

Their specific method for accessing that treasure trove of consumer-card data isn’t clear, since Target and the U.S. Secret Service aren’t saying much about the breach and are still investigating.

Security experts, left to speculate, said the criminals could have pursued any number of “attack vectors.” They were after that card data, but they had a wide variety of approaches for snaring it.

What almost certainly did not happen: A crook or crooks physically entering Target stores and directly tinkering with one or more of those card swipers. This has been known to happen at ATMs, or in restaurants with dishonest waitstaff.

But that would have been too small-potatoes for the Target criminals, who would have sought to compromise the point-of-sale systems on a grand scale. One way to do that: Penetrate the servers responsible for periodically updating the software, or “firmware,” that makes the card swipers go.

This, at some point, would have caused infected software to be installed on the POS gear, as a way to give the crooks access in some fashion.

Maybe they weren’t after the POS gear at all, security experts speculate. Perhaps they attacked at some point after the swipers hand off card info to servers inside or outside the stores. Maybe they sought to penetrate those servers directly.

Such attacks are often complex with many layers, said Ken Westin, a security researcher at the Oregon-based security-software vendor Tripwire.

“A hacker can find a tiny vulnerability to get into a server, and then move laterally” to exploit other vulnerabilities, Westin said. “Once you get your foot in the door, all heck breaks loose.”

And this could have been an inside job, said John Murphy, a network-security researcher at the New Hampshire-based FlowTraq network-security vendor.

“Someone in IT would have had a wider variety of options” for compromising security, he noted.

Target carelessness also could be a piece of the puzzle, said Tim Erlin, Tripwire’s Minnesota-based director of IT security and risk strategy.

The company might have failed to follow the principle of “least privilege” in giving data access only to systems that require it. Or it might have been negligent in not keeping all of its systems up to all-important Payment Card Industry data-security specs, Erlin said.

Regardless, “the thing that strikes me is the level of organization, the level of planning,” in pulling off the data heist, he added.

The fictional Danny Ocean, played by George Clooney, might have been impressed.